Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Similar documents
Protecting your next investment: The importance of cybersecurity due diligence

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Enforcement Training for State Attorneys General

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

FDA & Medical Device Cybersecurity

Medical Device Cybersecurity: FDA Perspective

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Addressing the elephant in the operating room: a look at medical device security programs

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Cybersecurity in Higher Ed

HEALTH CARE AND CYBER SECURITY:

Information Governance, the Next Evolution of Privacy and Security

Cyber Security Issues

Cybersecurity and Nonprofit

Monthly Cyber Threat Briefing

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Cybersecurity for Health Care Providers

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Data Compromise Notice Procedure Summary and Guide

New Guidance on Privacy Controls for the Federal Government

CYBER SOLUTIONS & THREAT INTELLIGENCE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

Dr. Stephanie Carter CISM, CISSP, CISA

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Designated Cyber Security Protection Solution for Medical Devices

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

BoostMyShop.com Privacy Policy

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Cybersecurity, safety and resilience - Airline perspective

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Building Resilience in a Digital Enterprise

Security in a Converging IT/OT World

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

LEXICON. An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Cybersecurity. Securely enabling transformation and change

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Executive Insights. Protecting data, securing systems

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

Detecting breach. There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017

Evolving Cybersecurity Strategies

HIPAA Security and Privacy Policies & Procedures

Healthcare HIPAA and Cybersecurity Update

Vulnerability Assessment Process

The Relationship Between HIPAA Compliance and Business Associates


Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Security Awareness Training Courses

Security Audit What Why

The Next Frontier in Medical Device Security

PULSE TAKING THE PHYSICIAN S

Cybersecurity, Trade, and Economic Development

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Cyberspace : Privacy and Security Issues

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

ANATOMY OF AN ATTACK!

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Electronic Communication of Personal Health Information

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

HIPAA Tips and Advice for Your. Medical Practice

The UK s National Cyber Security Strategy

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Data Backup and Contingency Planning Procedure

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Cyber Security in Smart Commercial Buildings 2017 to 2021

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Office 365 Buyers Guide: Best Practices for Securing Office 365

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

HIPAA & Privacy Compliance Update

Unit Compliance to the HIPAA Security Rule

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Transcription:

Introduction Privacy, Security and Risk Management What Healthcare Organizations Need to Know

Agenda I. Privacy, Security and Confidentiality Definitions in a Healthcare Context Patient Privacy concerns Security CIA II. Today s Health IT Environment Creates Security Risk III. Risk Management Concepts

Privacy and Security Terminology in a Healthcare Context Health Information Privacy An individual s right to control the acquisition, uses or disclosures of their identifiable data Security The physical, technical or administrative safeguards used to protect data from unwarranted access or disclosure Confidentiality Use The obligation of those who receive the information to respect the privacy interests of those to whom the data relate Within an organization Disclosure Between/among independent organizations

Patient P&S Concerns Types of information collected How the information is handled internally Whether and how information is disclosed to external parties of any kind Children s privacy Security policies and procedures: physical and transmission Data mining/analysis policies User access to information The ability to correct information that was recorded in error Ability for privacy options to opt-in or opt-out How a site notifies users about any changes How to contact a site with questions AARP, Personal Health Records: An Overview of What is Available to the Public

Most Visible Privacy Policy Topics Confidentiality of Individual s Electronic Health Information Sharing of Individual s ephi Uses and Disclosures Secondary Uses of Health Data Research, Marketing, Precision Medicine Data Ownership Model Who owns the data? Security Breach Notification Does the individual have the right to know that about a breach that their privacy has been violated?

Healthcare s Use of IT Creates Security Risk Use of information technology has increased exponentially Information systems and networks now have nearly unlimited connectivity Medical Devices, monitoring devices and telehealth applications are all computer and internet enabled

Security - The CIA Triad Confidentiality The information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity Accuracy of the data must be maintained. Data cannot be modified in an unauthorized or incorrect manner. Availability The information must be available when needed.

Most often in Healthcare, we focus on Confidentiality Protect Patient s Privacy The information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity Accuracy of the data must be maintained. Data cannot be modified in an unauthorized or incorrect manner. Availability The information must be available when needed.

But, there are other aspects Patient Safety! Confidentiality The information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity Accuracy of the data must be maintained. Data cannot be modified in an unauthorized or incorrect manner. Availability The information must be available when needed.

Today s Threats Increase in sophisticated threats and exponential growth rate in malware Cyber attacks are more organized, disciplined, and aggressive than ever before Today, adversaries are nation states, terrorist groups, and organized crime, and they are well funded and highly motivated This results in an increasing number of penetrations of information systems in both the public and private sectors.

Threat Terminology Threat - the potential for a particular threat-source to successfully exercise a particular vulnerability. Vulnerability- a weakness that can be accidentally triggered or intentionally exploited. A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. * Source NIST SP 800-30 - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Threat Terminology (continued) Threat-source - any circumstance or event with the potential to cause harm to an IT system. Common threat sources can be natural, human, or environmental. Threat motivator - reason for or goal of action Threat actor person, entity or program that executes

Advanced Persistent Threat A threat actor that: Possesses significant expertise and resources Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, social engineering). Establishes footholds within IT infrastructure of targeted organizations: - To exfiltrate information; - To undermine / impede critical aspects of a mission, program, or organization; and - To position itself to carry out these objectives in the future.

Healthcare Organizations are Challenged to: Invest in New Technologies to Reduce Cyber Risk, for example, Identity Management Solutions Biometrics,etc. Educate the Board of Directors & C-Suite about why Cybersecurity is a Business Priority Address the Human Factor : Insider Threats, Phishing Attacks, Mock Cyber/Phishing Exercises Upgrading Legacy Systems, Software, & Devices

Healthcare Organizations are Challenged to: Secure New Technology Technology innovation may outpace data security innovation (for example, Mobile) Manage Product Life Cycles Keeping Existing Software, Devices, & Systems Secure Vendors Should Have a Mechanism for Updates & Fixes

Discussion

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback